Answered by:

macro security setting - unwanted!

Question

Well, today WLOC's monthly report popped up to tell me what it had been up to lately. And, finally, something that's been bugging me for a couple of weeks (probably since I first installed the beta) has been explained ...

A couple of weeks ago, when I opened an Excel spreadsheet which contains a macro that I wrote, a warning popped up that the macros in my spreadsheet had been disabled. I've been updating this spreadsheet daily (weekdays) for years and never had this problem. Now, every time I opened it, I got this warning and had to go to options to set the macro security level to "low" so I could run my own macros, on my own spreadsheet, on my own home computer. What the ***?!!!

Sooooo, WLOC "confesses" to me today that it is the culprit that has been doing this. I hope the writers of WLOC will offer an option to disable this behavior. Also, some other things that it's doing without asking, like resetting IE cache settings, is bothersome.

If there are already options in place to change these "features", then I apologize - I just haven't noticed them. However, if not, then please give us users a way to choose whether or not we want WLOC to behave that way. Thanks!

Monday, 19 November, 2007 12:51 AM

Answers

What you are seeing is the “Super Tune Up” (Also known as Tune Up Settings Check) it automatically makes this change on the machine. The Macro security setting is one of 24 settings that OneCare checks on a daily/weekly/monthly basis depending on the setting and will change it if found to be set to an insecure setting.

There is no way to turn this off.

Work Arounbd for this is to make a Digital Certificate for you to be able to use your documents with macro

You can use the program Selfcert.exe to sign macros or templates you create for your own personal use. Certificates created for use on your own computer are accepted only for the computer the certificate was created on.

Selfcert.exe calls Makecert.exe; both programs are available with Office in the Office 2003 folder and are not available with the Microsoft Office 2003 Editions Resource Kit. However, signing a macro, template, or file with Selfcert.exe does not provide a high enough level of authentication to provide reliable tracking of the source of the file back to its developer. Therefore, if a file you sign with a signature created from Selfcert is distributed to other users, they will not be able to accept your certificate if they are running High security, because the certificate does not have a high enough security level to authenticate who you are. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office.

There are limitations to the deployment of Selfcert.exe certificates applied to a macro when macro security is set to High:

Setting security to Low and then running the macro does not register the certificate in the trusted sources list.

Security must be set to Medium or High before any certificates are posted to the trusted Trust Publishers list. In cases where security is set to High on all computers, a Selfcert.exe-signed macro can be deployed, but it does not have a secure enough certificate for use by other users who are running with the High security level. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office

Selfcert.exe-issued certificates are not managed by a certificate authority and do not provide for certificate revocation checking.

Selfcert.exe does not provide a certificate of trust with a traceable signature.

My PCs were just upgraded to OneCare 2 this week & this immediately caused me much inconvenience. I depend on Excel macros: Now I have to manually turn them on each time I load the files..... aaaaargh!

How long is it going to take to get this issue resolved? Our entire office is using macros extensively and requiring security changes, for all the systems every time they load an excel file with macros, is going to cause a major expense for our company - not to mention a major inconvenience for support. I will have to remove OneCare from all our systems if this is not resolved immediately!

I don't know about the settings, in OneCare that are in need of customizing, but I believe I found a work-around for avoiding the continual reseting of the Macro Security in Excel and Word. It occurred to me that the problem was being caused because of not having an appropriate security certificate, so I opened the Tools/Macro/Security dialog and set the Security Level to Low. On the Trusted Publishers tab I checked the checkbox for Trust access to Visual Basic project. This seems to have resolved the issue.

"so I opened the Tools/Macro/Security dialog and set the Security Level to Low"

I tried changing security settings a while ago, including Trust access to VB project and it did not stick. But in the last week or so it seems to be fixed, I assumed there was a OneCare update to fix this. Now whenever I open an Excel file with macros I get a dialog box to disable or enable on medium Security setting, disabled on high security and all allowed on low security. This is back the way it was before the OneCare 2 update. It stays the the way I want.

Contrary to what others have mentioned previously, setting the VB checkbox for macro security in Excel didn't fix the problem for me. I still have to change the security level from "high" to "low" every time (daily) I open my first spreadsheet, then save the setting, and re-open it before I can use my macros in this and the other spreadsheets for which I've written macros. Surely would be nice to have a fix for this!

Here's a thought. The macro security settings are being set to high for a reason - to prevent malware from executing malicious code. If Microsoft documents which employ macros are provided with a Certificate, the Security level can be set to high and macros may still be executed. Microsoft provides a means of creating a certificate by using the SelfCert.exe. This file should be located in the following location: "C:\Program Files\Microsoft Office\Office10\SelfCert.exe" - or it may be found by using the Search feature.

I used this option to create a Certificate which I attached to all my Visual Basic macros (in the Personal.xls file) and then configured our systems to "Trust" the certificate I created - problem solved.

Here's a thought. The macro security settings are being set to high for a reason - to prevent malware from executing malicious code. If Microsoft documents which employ macros are provided with a Certificate, the Security level can be set to high and macros may still be executed. Microsoft provides a means of creating a certificate by using the SelfCert.exe. This file should be located in the following location: "C:\Program Files\Microsoft Office\Office10\SelfCert.exe" - or it may be found by using the Search feature.

I used this option to create a Certificate which I attached to all my Visual Basic macros (in the Personal.xls file) and then configured our systems to "Trust" the certificate I created - problem solved.

Here's another thought - these "macro security settings" are called OPTIONS! By definition, that means there is supposed to be a choice. I choose to set my macro security to "low" because they give me that option and that's the way that I want it. If some piece of software (i.e. WLOC) comes along and continuously resets the option that I've chosen, it ceases to be an option. MS should either quit calling it an option or give the choice back to me and leave the setting at the value that I've chosen for my particular system and environment.

What you are seeing is the “Super Tune Up” (Also known as Tune Up Settings Check) it automatically makes this change on the machine. The Macro security setting is one of 24 settings that OneCare checks on a daily/weekly/monthly basis depending on the setting and will change it if found to be set to an insecure setting.

There is no way to turn this off.

Work Arounbd for this is to make a Digital Certificate for you to be able to use your documents with macro

You can use the program Selfcert.exe to sign macros or templates you create for your own personal use. Certificates created for use on your own computer are accepted only for the computer the certificate was created on.

Selfcert.exe calls Makecert.exe; both programs are available with Office in the Office 2003 folder and are not available with the Microsoft Office 2003 Editions Resource Kit. However, signing a macro, template, or file with Selfcert.exe does not provide a high enough level of authentication to provide reliable tracking of the source of the file back to its developer. Therefore, if a file you sign with a signature created from Selfcert is distributed to other users, they will not be able to accept your certificate if they are running High security, because the certificate does not have a high enough security level to authenticate who you are. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office.

There are limitations to the deployment of Selfcert.exe certificates applied to a macro when macro security is set to High:

Setting security to Low and then running the macro does not register the certificate in the trusted sources list.

Security must be set to Medium or High before any certificates are posted to the trusted Trust Publishers list. In cases where security is set to High on all computers, a Selfcert.exe-signed macro can be deployed, but it does not have a secure enough certificate for use by other users who are running with the High security level. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office

Selfcert.exe-issued certificates are not managed by a certificate authority and do not provide for certificate revocation checking.

Selfcert.exe does not provide a certificate of trust with a traceable signature.

Here's another thought - these "macro security settings" are called OPTIONS! By definition, that means there is supposed to be a choice. I choose to set my macro security to "low" because they give me that option and that's the way that I want it. If some piece of software (i.e. WLOC) comes along and continuously resets the option that I've chosen, it ceases to be an option. MS should either quit calling it an option or give the choice back to me and leave the setting at the value that I've chosen for my particular system and environment.

In theory, you are correct.

In practice, since we've chosen to use OneCare, we are being protected by OneCare from making bad choices and compromising security.

That said, I'm not so sure that OneCare *should* be doing this. The answer that danzig provides is a workaround, in my opinion. As danzig notes, there are currently 24 items (many of which are unknown to me!) that OneCare checks and "fixes" silently. OneCare, in my opinion, needs to have these items clearly identified and needs to allow me to choose to accept or deny these changes, with the appropriate warnings. In cases like this - the macro settings - OneCare should have clear Help Text that spells out why the change is being made and provides details on how to deal with the enhanced security settings, much like danzig's clear explanation of how to "sign" the macros.

Here's another thought - these "macro security settings" are called OPTIONS! By definition, that means there is supposed to be a choice. I choose to set my macro security to "low" because they give me that option and that's the way that I want it. If some piece of software (i.e. WLOC) comes along and continuously resets the option that I've chosen, it ceases to be an option. MS should either quit calling it an option or give the choice back to me and leave the setting at the value that I've chosen for my particular system and environment.

In theory, you are correct.

In practice, since we've chosen to use OneCare, we are being protected by OneCare from making bad choices and compromising security.

That said, I'm not so sure that OneCare *should* be doing this. The answer that danzig provides is a workaround, in my opinion. As danzig notes, there are currently 24 items (many of which are unknown to me!) that OneCare checks and "fixes" silently. OneCare, in my opinion, needs to have these items clearly identified and needs to allow me to choose to accept or deny these changes, with the appropriate warnings. In cases like this - the macro settings - OneCare should have clear Help Text that spells out why the change is being made and provides details on how to deal with the enhanced security settings, much like danzig's clear explanation of how to "sign" the macros.

-steve

Steve,

Thanks for your reply. I totally agree with your assessment of the situation.

And I, too, would like to know what some of those other 24 items are! I suspect several have to do with IE settings since I've lately been forced to use Firefox for some websites where IE no longer works or presents various problems.

I too have to reset the security DAILY in Excel because of WLOC. I would hope they get a fix for this soon.

I am going to try Trust Center, Trust Center Settings, Trusted Locations, and add my folders to the trusted locations (including sub folders) and see if this helps.

I think you need to go the self certify route that danzig outlined in the post marked as the answer for this thread for now.

-steve

I tried creating the certificate and that just changed it from one annoyance to a different annoyance. If I left the macro security setting on "high", WLOC still changed it back to low and gave me the original error message. If I set it to "medium", then WLOC would leave it there but then, when I tried to use my spreadsheet, I got a new pop-up that said, in so many words, "are you sure you really want to run a macro here?" I had to click on something to continue. This was almost as annoying as the original problem. So, I just set it back to low and "fight" WLOC every day for control of my spreadsheets!

If creating the certificate should have fixed my problem, then maybe I set it up wrong or maybe there's another step that I just missed (adding it to a trusted list?) - if someone could please go over it again in detail - thanks.

Not having used that process myself, (I guess I've been fortunate to not be running Office apps with macros often on any of my machines running OneCare) I can't tell you what the process for the self certify is except to point you back to that original post by danzig.

This is why I indicated to danzig in another thread that the process is useless, since even a programmer could get lost trying to make it work.

The issue here as usual was created by a different group at Microsoft, the totally oblivious MS Office development group, that hasn't had a clue for years. They are the source of many of the worst security offenses and least useable utilities that Microsoft has ever created. However, they are the first to point fingers elsewhere when something doesn't work.

In this case, they've created a barely functional method for self-certification of a macro that requires a degree in engineering to operate and then defaulted their current security profile to levels that cause this to be a basic functional requirement. When OneCare comes along and tries to enforce what is actually a completely reasonable level of security, the issue is exposed, but of course it's mis-understood by all but the most knowledgeable security professionals.

I understand the wish to simply return to the days of setting the Macro Security to Low, but the real problem here is that the Office dev. group has made a critical security feature useless. Without a Self-cert process that a normal user can understand there's no reason to believe this necessary security feature can ever work properly.

If you don't understand what I'm saying its this; go complain like bloody murder in the Office forums that they need to add a Macro Self-cert process that a user can use. There's simply no excuse for this not being provided as an enhancement to at least Office 2003 and newer, especially if there isn't already something better included in Office 2007.

The issue here as usual was created by a different group at Microsoft, the totally oblivious MS Office development group, that hasn't had a clue for years. They are the source of many of the worst security offenses and least useable utilities that Microsoft has ever created. However, they are the first to point fingers elsewhere when something doesn't work.

Another mystery. Can you tell that I dislike the fact that there are settings monitored and changed by OneCare per a list of settings that are not exposed to us, but can apparently be updated with a signature/rules or minor version update?

james.perkins: you should look at danzig's post earlier in this thread. I don't like that it's entirely too difficult to perform, which isn't his fault, but it's the only real solution in the short run.

sluggoslade: did you notice anything like an upgrade or other change? Do you remember when this changed for you and had you tried to change anything before it stopped?

Actually I do believe at least some, if not all of these settings went through at least a portion of the beta, though they were never mentioned publicly until 2.0 was released. I recall at least one person complaining of this specific Macro Security setting issue, but no one ever determined where it was coming from or mentioned that it was being done on purpose until after the release.

james.perkins has the core problem identified, but not why it happened. It's quite simple really, the entire beta process including the Perpetual is filled with 'techies' who like to play with software but aren't the real users of OneCare. This has been an issue from the beginning, but is becoming more severe as time goes along. In this specific case, it's unlikely that someone who'd create and use their own macro, usually for business use, would ever be involved in a beta. That's why we only saw one instance of this before the release. The idea of increasing the number of members of the beta groups will only work if they specifically recruit the type of people who really use the product, non-technical home and SOHO business users.

I want to also be clear that I am not at all against the fact that these settings are being performed by OneCare. My beef is with the way it was implemented without warning at any point and the fact that some of the items seem to have little or no true security value. This specific setting is actually very appropriate, but without either warning or a simple, effective method to Self-certify a macro, it's simply become a problem that didn't need to exist.

sluggoslade: did you notice anything like an upgrade or other change? Do you remember when this changed for you and had you tried to change anything before it stopped?

Each time I started Excel I went into Excel security settings and reset the level to Medium. Then one day that setting stuck and no more problems. I cannot remember what else I could have done to reset anything. There are 2 ways to get to this setting: Under Tools/Options and under Tools/Macros. This is Office XP, by the way.

I notice that the security form displays "No virus scanner installed". Is this normal?

This problem is very annoying to me as well. Up until now I had not put the pieces together and known it was Live One Care related. A couple of weeks ago, I discovered the self certification digital signature. I was able to do that with no problems, but it is only good on the computer where the macro is created. I do a lot of work in Excel and distribute my work among co-workers at our six locations scattered around the state, so my self certification is virtually worthless. If anyone has a better solution, please post it here.

Update to previous post. I rarely work with Word because most of my work is in Excel. I have recently discovered that I almost cannot print any Word documents. I get the "Macros disabled" message when I attempt to print a document even if there are no known macros in the document. There are a lot of features I really like about Live OneCare, but I am about ready to scrap it and go back to McAfee. Is there any help out there to resolve these issues?

No, I tried setting security to medium to allow me the option or enabling, but it won't stay set. When I close the security window and re-open it it is back on High. I first discovered the problem while trying to print some labels. I have the Avery wizard plug in installed and get that tool bar everytime I open Word, so I wondered if that was causing a conflict. However the print problems are coming up on almost everything I try to print. I had a form I created a couple of years ago, just plain Jane straight forward form that would not print yesterday. I had another document file I had received email from a co-worker that would not print. I transferred both files to another machine running Office 2000 and Win XP with AVG virus protection and they printed with no problems at all. I should also add that on my home PC which is XP, everytime I close Outlook, I get a message about needing to close a Word document. That machine also has Live OneCare installed.

I am running Office 2003 Professional. After my last post I removed Avery Wizard. I also opened Word and set the security to medium. I stayed set this time and I was then able to open and enable macros and print anything I attempted this time. I also discovered upon opening Outlook that Deskpdf auto starts on open. DeskPDF is a PDF printer in case you are not familiar with it. Anyway, it seems that I have found a workaround to my printing problems. Thanks for your help.

I'm glad to read that you have found a reasonable workaround and thanks for sharing that information here for the benefit of others. Now, if we could convince Microsoft that we don't need to have the macro settings forced to high.... :-)

One more discovery I made was that in my crogram files\microsoft office\office11\startup folder there was Awizard.dot, deskpdf.dot, and one other .dot file all of which auto started when opening Outlook or Word. I deleted those and totally solved my issues with Macro security in both of those programs. Hope this helps someone else along the way until we can get MS to allow us to set the Macro security whereever we want it without it being automattically reset to High.

A couple of weeks ago, I discovered the self certification digital signature. I was able to do that with no problems, but it is only good on the computer where the macro is created. I do a lot of work in Excel and distribute my work among co-workers at our six locations scattered around the state, so my self certification is virtually worthless. If anyone has a better solution, please post it here.

Phil,

Rather than trying to circumvent the operation of your security systems and the High Security setting for Macros in general, why not try other well known workarounds? Took me 5 minutes via Google and I don't even use Macros, or Excel often for that matter.

Digital Certificates and Trusted Sources for running Excel Macros under High Macro Security

The best overview I found within the linked articles also mentions that there are good reasons for these High Security settings, which is also why they're only likely to become more restrictive over time as they already have in both Office 2007 and Vista. I think that Self-signed Certificates are a bit too complex for the average user, but anyone capable of producing a Macro themselves should be able to figure it out.

The most difficult portion is likely to be explaining to users how to install the exported Certificate and Macro, so actually acquiring a verified code-signing digital signature from a Certificate Authority (CA) may make sense for someone who distributes as widely as you do. Don't tell me your company can't afford it, the time you put into creating the Macros, distributing them and explaining how to install them itself is probably worth 10 times what one of these costs already ($200-$500/year).